User access security refers to the collective procedures by which authorized users access a computer system and unauthorized users are kept from doing so. To make this distinction a little more realistic, however, understand that user access security limits even authorized users to those parts of the system that they are explicitly permitted to use (which, in turn, is based on their "need-to-know"). After all, there is no reason for someone in Staff Payroll to be given clearance to confidential student records.

It Really Happens!

Kim approached Fred cautiously. As the security manager, she knew how important it was to gather information completely before jumping to conclusions. "Fred, my review of our computer logs shows that you have been logging in and looking at confidential student information. I couldn't understand why someone in Food Services would need to be browsing through individual student test scores, so I thought I'd come by and ask you."

Fred looked up at Kim as he if was surprised to be entertaining such a question. "Are you forgetting that I'm authorized to access student records?"

"I didn't know that my access was limited," Fred asserted honestly. "I figured that if my password got me into a file, it was fair game."

Kim paused, realizing that it might be reasonable for Fred to have assumed that he was allowed to read a file if his password gave him access. "Hmm, I see your point, Fred, but in truth you shouldn't be accessing student record information that isn't related to your legitimate educational duties. I'm not going to make a big deal of it this time, but from now on, limit your browsing to the free- and reduced-price lunch information. In the meantime, I'm going to send a memo out to staff reminding them what need-to-know really means."

"And you might want to reconsider how our password system works," Fred added. "It would have been
very clear to me that I had no business in a file if my password wouldn't get me in."

While there is no question that an organization has the right to protect its computing and information resources through user access security activities, users (whether authorized or not) have rights as well. Reasonable efforts must be made to inform all users, even uninvited hackers, that the system is being monitored and that unauthorized activity will be punished and/or prosecuted as deemed appropriate. If such an effort is not made, the organization may actually be invading the privacy rights of its intruders!

An excellent way of properly informing users of monitoring activities is through the opening screen that is presented to them. By reading a warning like the one that follows, users explicitly accept both the conditions of monitoring and punishment when they proceed to the next screen. Thus, the first screen any user sees when logging into a secure computer system should be something to the following effect:

Never include the word "Welcome" as a part of the log-in process--it can be argued that it implies that whoever is reading the word is, by definition, invited to access the system.

W A R N I N G !

This is a restricted network. Use of this network, its equipment, and resources is monitored at all times and requires explicit permission from the network administrator. If you do not have this permission in writing, you are violating the regulations of this network and can and will be prosecuted to the full extent of the law. By continuing into this system, you are acknowledging that you are aware of and agree to these terms.

Q. Is it possible to have a secure system if you have employees who telecommute or work otherwise non-traditional schedules?A. Yes. While particular countermeasures might need to be adjusted to accommodate non-traditional schedules (e.g., the practice of limiting users to acceptable log-in times and locations), a system with telecommuters, frequent travelers, and other remote access users can still be secure. Doing so may require policy-makers to think more creatively, but each security guideline needs to be customized to meet the organization's needs anyway (see Chapter 2).

Q. Is the use of passwords an effective strategy for securing a system?A. Just because password systems are the most prevalent authentication strategy currently being practiced doesn't mean that they have become any less effective. In fact, the reason for their popularity is precisely because they can be so useful in restricting system access. The major concern about password systems is not their technical integrity, but the degree to which (like many strategies) they rely upon proper implementation by users. While there are certainly more expensive and even effective ways of restricting user access, if risk analysis determines that a password system meets organizational needs and is most cost-effective, you can feel confident about password protection as long as users are implementing the system properly--which, in turn, demands appropriate staff training (see Chapter 10).

Q. Are all of these precautions necessary if an organization trusts its staff?A. Absolutely. While the vast majority of system users are probably trustworthy, it doesn't mean that they're above having occasional computing accidents. After all, most system problems are the result of human mistake. By instituting security procedures, the organization protects not only the system and its information, but also each user who could at some point unintentionally damage a valued file. By knowing that "their" information is maintained in a secure fashion, employees will feel more comfortable and confident about their computing activities.

Initiating security procedures also benefits users by:

1) Helping them to protect their own files

2) Decreasing the likelihood of their improperly releasing
confidential information

3) Educating them about what is and is not considered to be
appropriate behavior

User access security demands that all persons (or systems) who engage network resources be required to identify themselves and prove that they are, in fact, who they claim to be. Users are subsequently limited to access to those files that they absolutely need to meet their job requirements, and no more. To accomplish this, decision-makers must establish policies regulating user account systems, user authentication practices, log-in procedures, physical security requirements, and remote access mechanisms.

As discussed more completely in Chapter 2, a threat is any action, actor, or event that
contributes to risk

The following countermeasures address user access security concerns that could affect your site(s) and equipment. These strategies are recommended when risk assessment identifies or confirms the need to
counter potential user access breaches in your security system.

Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps hire a reliable technical consultant.

Select only those countermeasures that meet perceived needs as identified during risk assessment (Chapter 2) or support policy (Chapter 3).

Secure the user account name list: Because of its importance to system security, the user account list should be considered to be confidential and should never be made public. Give b consideration to storing it as an encrypted file.

Monitor account activities: Keep a record of all system use (many systems perform this function through an audit trail feature).

Terminate dormant accounts after a pre-set period of inactivity (e.g., 30 days): Legitimate users can always reapply and reestablish their accounts.

See Chapter 9 for guidelines for authenticating messages transmitted over outside networks.

Countermeasures like biometrics are probably beyond the realm of possibility (and necessity) in most, if not all, education organizations.

Require Users to "Authenticate" Themselves in Order to Access Their Accounts (i.e., make sure that they prove that they are who
they are representing themselves to be):

Select an authentication system: The right choice for an authentication system depends on the needs of the organization and its system, and should be based on the findings of a risk assessment (see Chapter 2). Note that the following options progress from least secure to most secure, as well as (not surprisingly), least expensive to most expensive:

There are tradeoffs associated with making passwords more difficult to remember than a pet's name or a person's initials (e.g., staff are more likely to write down password reminders). The costs and benefits of these tradeoffs should be considered in the organization's risk assessment (see Chapter 2).

Passwords

Because passwords are the most common method of user authentication, they
deserve special attention.

Require that passwords be at least six characters in length (although eight to ten are
preferable).

Prohibit the use of passwords that are words, names, dates, or other commonly expected
formats.

Forbid the use of passwords that reflect or identify the account owner (e.g., no
birthdates, initials, or names of pets).

Require a mix of characters (i.e., letters/numbers and upper/lower case if the system is
case sensitive).

One way to effectively create apparently
random passwords that can be memorized easily is to use the first letter of each word in a
favorite quote, capitalize every other letter, and add a number. For example, Longfellow's
"One if by land, two if by sea" (from Paul Revere's Ride) becomes the password
"oIbLtIbS3".23

Remind users that it is easy to change passwords if they think that theirs may have been
compromised.

Maintain an encrypted history of passwords to make sure that users are not simply
recycling old passwords when they should be changing them.

Monitor the workplace to ensure that all regulations are being
followed.

The security manager must be open to the concerns of system users. Security is a
two-way street on which both users and security personnel have legitimate needs.

It Really Happens!

Principal Mullins was a stickler for rules, but he was also serious about getting the job done. When, two weeks after school had already begun, he learned that none of his three new teachers had yet received accounts on the computer network from central office, he was incensed. They had enough to worry about without being hampered by being kept off-line. He called in his assistant, "I don't care whether security policy prohibits password sharing or not, these people need to get on the system. Let them use my password to log on--it's 'A4a6dc', got that? Make sure that they have access to everything they need to do
their jobs!"

Three weeks passed before the system administrator e-mailed Principal Mullins about apparent misuse of his password: "System logs show almost daily incidents when more than one person at a time is trying to log on to the system with your password. Please change the password immediately and let me know if you have any idea about who is misusing it."

Principal Mullins knew that he had not only been risking trouble with the system administrator but also truly jeopardizing system security. Despite his initial (and legitimate) anger about his teachers being unable to access the system, he did not feel good about circumventing agreed-upon policy. Unfortunately, when central office was so unresponsive to the needs of his teachers and school, he felt that he had been left with very few options. He replied to the system administrator: "My three new teachers are
using the password since they have yet to be assigned their own network accounts. We are not looking to break good rules, only to do our jobs--please allow us to do so. Find a way to get new staff access to the system in a timely manner and we will surely respect and abide by security policy." Principal Mullins could only hope that the system administrator would understand his position, and that system security had not been violated.

Remember to customize countermeasures to meet organizational and user needs.

Some intruders employ "password dictionaries" that, quite literally, try to match passwords one word at a time for thousands and thousands of attempts!

Limit users to acceptable log-in times: There is no reason for an average day-shift employee to be able to access the system in the middle of the night.

Limit users to acceptable log-in locations: There is no reason for an average employee with a terminal on his or her desk to access the system from his or her supervisor's desk.

Set reasonable limits to the number of allowable log-in attempts: Enable the system to assume that anyone who can't enter a password correctly after three attempts may, in fact, not be who they say they are. Allow users more than one or two attempts or else they might make mistakes simply because they are worried about getting shut out. After three incorrect attempts, the account should be suspended (to prevent an intruder from simply calling back and trying three more times). Legitimate users can always have their accounts reopened by contacting the security manager.

Require staff to log off the system and turn off the computer: The last important step of logging on properly is logging off properly. Users should be required to log off every time they leave their workstations (e.g., for lunch, breaks, and meetings). After all, an unauthorized user has free reign to an authorized user's access when a computer is left unattended and logged into the system.

Protect every access node in the system: An "access node" is a point on a network through which you can access the system. If even one such point is left unsecured, then the entire system is at risk. A good example of frequently forgotten access nodes are modular network plugs that are often built into conference rooms (into which portable computers can be plugged). If unauthorized users can get to such a node with a laptop, they are in position to attack the system.

Protect cables and wires as if they were access nodes: If a sophisticated intruder can access a span of cable that is used as a connector between pieces of equipment, he or she may be able to access the entire system. Physically accessing the wiring is referred to as "tapping the line." High-end equipment can monitor electrical emanations (known as Radio Frequency Interference) from wiring without even physically touching the cable.

Disconnect floppy drives from servers: A sophisticated intruder can boot-up (the technical term for "starting the system") from an external disk drive.

Installscreen savers (with mandatory locking features): Prevent information from being read by anyone who happens to be
walking past the display monitor.

See Chapter 9 for more information about securing connections to outside networks, including the Internet.

Pay Particular Attention to Remote Access Systems (i.e., when someone, including an authorized user, accesses your system from
off-site via a modem):

Consider requiring pre-approval for remote access privileges: An identified subset of employees to monitor is more manageable
than every random person who calls into the system.

Set modems to answer only after several rings: An authorized user will know that he has dialed a "slow" modem and will therefore be willing to wait. A random-dialer looking to bump into modems may be less likely to be so patient.

Use a "call back" communication strategy with remote access users: Once users call in and properly identify themselves, the
connection is dropped and the system then calls back the authorized users at a pre-approved access location.

Use software that requires "message authentication" in addition to "user authentication": Even if a user can provide the right password, each message sent and received must have its delivery verified to ensure that an unauthorized user didn't interrupt the transmission.

Never transmit sensitive information over public telephone lines unless the transmission has first been encrypted: Unless a line can be verified as secure, it must be considered to be susceptible to tampering.

Investigate security features of external networks to which the system connects: The Internet and other networks are not just things your staff can access and browse--they are two-way lines of communication. If security cannot be verified, then additional precautions must be taken (e.g., gateways and firewalls).

Install firewalls on your system at external access points: A firewall is by far the most common way to secure the connection between your network and outside networks. It works by allowing only trusted (authenticated) messages to pass into your
internal network from the outside (see also Chapter 9).

School officials allow the use of calculators in the classroom without necessarily understanding how the transistors process
mathematical calculations. So, too, can they make informed decisions about highly technical security options like firewalls without having to become experts on installing and operating associated software and hardware.

Never leave a modem on automatic answer mode: Such a practice opens the door to unauthorized and unsupervised system access.

Permit modem use only from secure locations: Never allow a modem to be connected to a system machine that is not itself
protected by a firewall or gateway.

Grant Internet access only to those employees who need it to perform their jobs: A student might need the Internet for legitimate learning purposes, but a staff assistant probably does not.

Remind students and staff that the Internet (and all system activity for that matter) is for approved use only: There are countless Internet sites and activities that have no positive influence on the education environment. They have no place on the system.

Require all users to sign Appropriate Use Agreements before receiving access to the system: Signed Security Agreements (see Chapter 3) verify that users have been informed of their responsibilities and understand that they will be held accountable for their actions.

While it may be tempting
to refer to the following checklist as your security plan, to do so would
limit the effectiveness of the recommendations. They are most useful
when initiated as part of a larger plan to develop and implement security
policy throughout an organization. Other chapters in this document
also address ways to customize policy to your organization's specific needs--a
concept that should not be ignored if you want to maximize the effectiveness
of any given guideline.

Security Checklist for Chapter 8The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text.

Check Pointsfor User Access Security

Design an Appropriate Opening Screen That Users Must Visit Before Accessing the System

Is the opening screen clear and specific about the
organization's expectations of the user?

Does the opening screen require the user to accept the
conditions of monitoring and punishment before proceeding?

Implement a User Account System

Is file access limited to that information users need to do
their jobs?

Are shared accounts explicitly prohibited?

Is the list of user accounts and names maintained securely?

Is account activity properly monitored?

Are dormant accounts terminated after pre-set periods of
inactivity?

Require Users to Authenticate Themselves

Has an appropriate authentication system been selected
based on risk assessment findings?

Are passwords required to be at least six characters in
length?

Are names, dates, and other commonly anticipated password
formats disallowed?

Are passwords that reflect or identify the user forbidden
(e.g., initials and pet names)?

Is a mix of letters and numbers, and upper and lower cases
required?

Is the use of non-words and random characters encouraged?

Has the system administrator changed all pre-set and
packaged passwords?

Are passwords required to be changed at regular intervals?

Is password sharing expressly forbidden?

Are password reminders stored securely by personnel?

Have users been warned to never send their password as a
part of an e-mail message?

Have users been warned not to type in their passwords when
someone may be watching?

Are password characters masked on display screens?

Have users been told that they can, and should, change
their password if they think it might be compromised?

Is a history of user passwords maintained securely and
reviewed routinely to ensure that users are not recycling passwords?

Is the workplace appropriately monitored for adherence to
security regulations?

Establish Standard Log-in Procedures

Is each user limited to acceptable times for logging into
the system?

Is each user limited to acceptable places for logging into
the system?

Is there a limit to the number of times a user can attempt
to log in incorrectly?

Do staff know to log off and turn off computers?

Recognize the Importance of Physical Security

Have all system access points (nodes) been secured?

Has all cabling and wiring been secured?

Have floppy drives been disconnected from servers?

Are lockable screen savers installed and in use?

Pay Attention to Remote Access (and Modem Use)

Is pre-approval required for remote access capabilities?

Are staff aware that remote access is monitored? Is it?

Are modems set to answer only after several rings?

Is a call-back system in place?

Is message authentication required in addition to user
authentication?

Is sensitive information prohibited from being transmitted
over public lines unless the files are first encrypted?

Is the organization aware of security features used by
outside networks to which it connects? Are they acceptable?

Are firewalls in use as needed?

Are dial-in communication numbers protected from outsiders?

Are modems disabled when not in use?

Are modems always kept off automatic answer modes?

Are modems only installed on computers in secure locations?

Is Internet access granted to only those users who need it?

Have all users been reminded that system use is only for
approved activities?

Are users required to sign Appropriate Use Agreements (see
Chapter 3) before receiving access to the system?